To acquire administrative credentials the attackers deployed Mimikatz, an open-source instrument for extracting native credentials. They dumped the Home windows Safety Accounts Supervisor (SAM) and tried to guess SMB credentials by utilizing password spraying and different brute pressure methods. As soon as credentials have been obtained, the attackers used PuTTY Hyperlink (plink), a community connection instrument, to entry different methods.
Data exfiltration and system wiping
Within the subsequent stage of the compromise, the attacker deployed the primary customized instrument known as sqlextractor. As its title implies, the instrument is used to hook up with databases and extract info, notably information like nationwide ID numbers, passport scans, e-mail addresses, and full addresses. The info is saved in CSV format and is then archived and exfiltrated to a command-and-control server by utilizing public instruments corresponding to WinSCP or Pscp.exe (PuTTY Safe Copy Protocol). Course of reminiscence dumps saved as .dmp recordsdata have been additionally exfiltrated.
“Throughout the incident, the attackers tried to make use of three separate wipers as a part of the damaging assault,” the researchers mentioned. “Whereas a number of the wipers present code similarities to beforehand reported wipers the Agonizing Serpens group used, others are thought of model new and have been used for the primary time on this assault.”
The primary wiper is known as MultiLayer and is written in .NET. It deploys two binaries known as MultiList and MultiWip. MultiList is used to enumerate all recordsdata on the system and construct a listing of file paths with sure folders excluded, whereas MultiWip is the file wiping element which begins overwriting native recordsdata with random information.
To make information restoration makes an attempt more durable, the wiper adjustments the timestamps of the focused recordsdata and adjustments their authentic paths earlier than deleting them. MultiLayer additionally deletes all of the Home windows Occasion logs, the amount shadow copies and the primary 512 bytes of the bodily disk which holds the boot sector to go away methods unbootable after restart. It then deletes itself and all scripts it created and used.
The Palo Alto researchers famous that MultiLayer shares the identical operate naming conventions and even complete code blocks with different customized instruments beforehand related to Agonizing Serpens, corresponding to Apostle, IPsec Helper, and Fantasy. This might be the results of the instruments sharing the identical code base or being created by the identical developer.
